CVE-2026-31673: Linux Kernel Information Disclosure Flaw

CVE-2026-31673 Overview

CVE-2026-31673 is a race condition vulnerability in the Linux kernel's af_unix subsystem. The flaw exists in how exact UNIX diagnostic (diag) lookups read UNIX_DIAG_VFS data. Exact UNIX diag lookups hold a reference to the socket but not to u->path, while unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. This creates a window where VFS data can be accessed after release. The vulnerability affects multiple Linux kernel versions including the 7.0 release candidate series.

Critical Impact

Local attackers with low privileges can exploit this race condition to compromise confidentiality, integrity, and availability of the affected system through the kernel's UNIX socket diagnostic interface.

Affected Products

• Linux Kernel (multiple stable branches)
• Linux Kernel 7.0-rc1 through 7.0-rc7
• Systems exposing AF_UNIX socket diagnostics via netlink

Discovery Timeline

• 2026-04-25 - CVE-2026-31673 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-31673

Vulnerability Analysis

The vulnerability resides in the af_unix subsystem responsible for handling UNIX domain sockets in the Linux kernel. The UNIX diag netlink interface allows userspace tools to enumerate and inspect UNIX sockets, including filesystem path information exposed through the UNIX_DIAG_VFS attribute. This attribute contains the inode and device numbers associated with the socket's bound path.

During an exact UNIX diag lookup, the kernel holds a reference to the socket structure but does not acquire a reference to the underlying u->path field. Concurrently, unix_release_sock() can clear u->path while holding unix_state_lock(), then drop the associated path reference after releasing the lock. The diag code path reads VFS metadata outside this protected critical section.

The fix reads the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emits the netlink attribute after dropping the lock. This ensures VFS data remains stable during reply construction.

Root Cause

The root cause is a synchronization defect classified as a race condition between concurrent socket diagnostic reads and socket release operations. The diag lookup path accessed u->path without serializing against unix_release_sock(), which mutates that field under unix_state_lock(). The absence of a held reference on the path during the read window enables use-after-free style memory access patterns on freed VFS structures.

Attack Vector

Exploitation requires local access with low privileges and no user interaction. An attacker must execute code that issues UNIX diag netlink requests through AF_NETLINK with NETLINK_SOCK_DIAG while a target UNIX socket is being released concurrently. The race window is narrow but reachable on multi-core systems by spawning parallel threads that repeatedly query diag information against sockets that other threads are closing. Successful exploitation may yield kernel memory corruption or information disclosure from freed VFS structures.

No public proof-of-concept code is available for CVE-2026-31673. The vulnerability mechanism is documented in the upstream kernel commits referenced below.

Detection Methods for CVE-2026-31673

Indicators of Compromise

• Unexpected kernel oops or panic messages referencing unix_diag, unix_release_sock, or sk_diag_fill in dmesg or /var/log/kern.log
• KASAN (Kernel Address Sanitizer) reports indicating use-after-free in af_unix code paths
• Unprivileged processes opening AF_NETLINK sockets with the NETLINK_SOCK_DIAG protocol at unusual rates

Detection Strategies

• Audit kernel ring buffer logs for warnings or BUG reports originating in net/unix/diag.c or net/unix/af_unix.c
• Monitor for unprivileged processes performing high-frequency UNIX socket enumeration via sock_diag netlink calls
• Enable kernel runtime self-protection features and review crash signatures matching the affected functions

Monitoring Recommendations

• Track installed kernel package versions across the fleet and compare against patched stable releases
• Aggregate kernel crash telemetry centrally to identify recurring fault patterns in af_unix
• Alert on user processes that combine rapid socket creation, binding, and concurrent diag queries

How to Mitigate CVE-2026-31673

Immediate Actions Required

• Apply the upstream Linux kernel patches referenced in the stable tree commits as soon as distribution updates become available
• Inventory all Linux systems running affected kernel versions, prioritizing multi-tenant hosts and shared-use systems
• Restrict local shell access on critical systems until the patched kernel is deployed and rebooted

Patch Information

The fix is committed to the upstream Linux kernel stable tree across multiple branches. Relevant patch commits include Linux Kernel Commit 0c739f37, Linux Kernel Commit 39897df3, Linux Kernel Commit 900a4e09, Linux Kernel Commit b9232421, and Linux Kernel Commit bdf206e7. Administrators should update to a distribution kernel that incorporates these commits and reboot affected systems.

Workarounds

• Limit unprivileged access to NETLINK_SOCK_DIAG by tightening seccomp profiles on untrusted workloads and containers
• Apply CAP_NET_ADMIN restrictions and avoid granting CAP_SYS_PTRACE to non-administrative users
• Deploy mandatory access control policies (SELinux, AppArmor) that restrict the sock_diag netlink family to required system services

# Configuration example: restrict sock_diag via seccomp in a container profile
# Block the socket() syscall when used with NETLINK_SOCK_DIAG for untrusted workloads
# (Illustrative - integrate with your runtime's seccomp policy)
{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["socket"],
      "action": "SCMP_ACT_ERRNO",
      "args": [
        { "index": 0, "value": 16, "op": "SCMP_CMP_EQ" },
        { "index": 2, "value": 4, "op": "SCMP_CMP_EQ" }
      ]
    }
  ]
}